漏洞平台

POC详情： 16e2dcd0e308e3e352a56f030b09bc72701c41d3

来源

https://github.com/Shadow0ps/CVE-2023-20198-Scanner

关联漏洞

标题： Cisco IOS XE Software 安全漏洞 (CVE-2023-20198)
描述：Cisco IOS XE Software是美国思科（Cisco）公司的一个操作系统。用于企业有线和无线访问，汇聚，核心和WAN的单一操作系统，Cisco IOS XE降低了业务和网络的复杂性。 Cisco IOS XE Software 存在安全漏洞，该漏洞源于允许未经身份验证的远程攻击者在受影响的系统上创建具有特权的帐户。

描述

This is a webshell fingerprinting scanner designed to identify implants on Cisco IOS XE WebUI's affected by CVE-2023-20198 and CVE-2023-20273

介绍


# Cisco IOS XE Device Scanner User Guide for CVE-2023-20198-Scanner

This is a webshell fingerprinting scanner designed to identify implants on Cisco IOS XE WebUI's affected by CVE-2023-20198 and CVE-2023-20273. This Python script checks for compromised Cisco IOS XE devices by making HTTP and HTTPS requests. It supports multiple ways to specify target IPs and provides threading for faster scanning.

## ChangeLog
- Added new Authentication NGINX Configuration file from [Talos Security's blog](https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/)
- Added [Explainer for configuration LUA script functionality](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/Exploitation_Explainer.md).
- Added CURL from Talos Blog along with Authorization HEX value provided by Talos Security.


A few things you can do with this scipt:

- [Scan a Single IP](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--ip)
- [Scan a list of IP's (Provide a file with each IP on a new line and pass it via argument)](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--target_file)
- [Scan a CIDR range](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--cidr)
- [Specify a custom UserAgent](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--user_agent)
- Specify new IOC's within the response.text using a file (IOCS.txt is the default file. Ensure each IOC is on a new line.) *Known IOCS will be updated regularly should new ones become known. All current IOC's are already implemented directly into the code for clarity.
- [Ability to specify a proxy for scans](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--proxy)
- Concurrent Processing for speed and efficiency.
- [Rate Limiting](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--rate_limit)
- Logging of compromised hosts.
- Visual indication of potentially compromised hosts vs "clean" hosts. - This is not a guarantee and is based strictly off the known IOC's.

## Requirements

- Python 3.x
- Required Python packages: `requests`, `termcolor`, `tqdm`

Install the required Python packages using pip if you haven't already:

```bash
pip install requests termcolor tqdm
```

## Usage

The script provides several command-line options for flexibility:

### `--target_file`

Specify a file containing a list of Cisco IOS XE Device IPs or hostnames. The IPs or hostnames should be listed one per line.

Example:

```bash
python iosxe-scanner.py --target_file targets.txt
```

### `--cidr`

Specify a CIDR range to scan. The script will generate all the IPs in the specified range and scan them.

Example:

```bash
python iosxe-scanner.py --cidr 192.168.1.0/24
```

### `--ip`

Specify a single IP to scan.

Example:

```bash
python iosxe-scanner.py --ip 192.168.1.1
```

### `--user_agent`

Set a custom User-Agent header for the HTTP requests. The default is `CISCO-IOS-Shell-Scanner-cisco-sa-iosxe-webui-privesc-j22SaA4z`.

Example:

```bash
python iosxe-scanner.py --user_agent "MyCustomUserAgent"
```

### `--rate_limit`

Set a rate limit in seconds between requests. The default is 1 second.

Example:

```bash
python iosxe-scanner.py --rate_limit 0.5
```

### `--proxy`

Specify an HTTP Proxy to use for requests.

Example:

```bash
python iosxe-scanner.py --proxy http://127.0.0.1:8080
```

### `--iocs_file`

Specify a file containing Indicators of Compromise (IoCs) to look for in the response text. The default is `IOCS.txt`.

Example:

```bash
python iosxe-scanner.py --iocs_file custom_iocs.txt
```

## Examples

### Scan a list of targets from a file with a rate limit of 0.5 seconds

```bash
python iosxe-scanner.py --target_file targets.txt --rate_limit 0.5
```

### Scan a CIDR range using a proxy

```bash
python iosxe-scanner.py --cidr 192.168.1.0/24 --proxy http://127.0.0.1:8080
```

### Scan a single IP with a custom User-Agent

```bash
python iosxe-scanner.py --ip 192.168.1.1 --user_agent "MyCustomUserAgent"
```

### Scan using a custom IoCs file

```bash
python iosxe-scanner.py --iocs_file custom_iocs.txt
```

## Notes

- This script disables SSL certificate verification for making HTTPS requests. Use this feature cautiously.
- This script is presented "As Is" with NO WARRANTY. USE AT YOUR OWN RISK!
- Use of this script may be illegal in your country or jurisdiction. While it only makes simple HTTP(S) requests and checks for specific responses it's up to you to determine whether or not its use is legal/ethical and appropriate. DONT BE A JERK.

If you find this script useful feel free to let me know or give me a follow on Twitter(𝕏) <https://twitter.com/shadow0pz>

文件快照


 [4.0K]  /data/pocs/16e2dcd0e308e3e352a56f030b09bc72701c41d3
├── [4.9K]  Exploitation_Explainer.md
├── [  38]  IOCS.txt
├── [4.8K]  iosxe-scanner.py
├── [4.6K]  README.md
└── [ 131]  targets.txt

0 directories, 5 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。